Cybersecurity Blog: The Cyber Scene is evolving, are you?

Gib Sorebo
Gib Sorebo is a Chief Cybersecurity Technologist for Leidos where he assists both government and private sector organizations in addressing cybersecurity risks as well as complying with legal and regulatory requirements.
He has been working in the information technology industry for more than twenty years in both the public and private sector. In addition to federal and state governments, Gib has done security consulting in the financial services, health care, and energy sectors. He is currently responsible for coordinating cybersecurity activities in the energy sector company-wide.
He recently co-authored a book on Smart Grid Security that was published in December 2011. He is also a frequent speaker at national security and utility conferences, such as the RSA Security Conference, FINRA Annual Conference, CSI Annual Conference, multiple oil & gas cybersecurity conferences, and the FIRST Annual Conference, where he has given talks on the Internet of Things, information security liability, Sarbanes-Oxley, E-Discovery, smart grid security, incident response, breach notification, and several other topics.
Gib holds a law degree from the Catholic University of America, a Master’s Degree in Legislative Affairs from George Washington University, and a Bachelor’s Degree in Political Science from the University of Chicago.

The cyber-attack on Ukraine power centers last December — an event that took 30 substations offline and left more than 230,000 residents without power — was a rude awakening for power generation plants and distribution centers around the world. Despite being well-segmented from the control center business networks with robust firewalls — notably more secure than some U.S. operations — the network was still breached.

The remark “never a dull moment” is rarely an expression used to indicate joy. Instead, it’s a semi-sarcastic way of lamenting unwelcome excitement. While no one wants to have a boring job, spending one’s time fighting ransomware outbreaks that disrupt business operations and put one’s job at risk are not the kinds of exhilarating challenges that most Chief Information Security Officers (CISO) pine for. The recent WannaCry outbreak has all the hallmarks of this unwelcome excitement. The ransomware infects computers by exploiting a vulnerability that Microsoft patched two months ago. It propagates through a network port that every enterprise should be locking down. It exhibits malicious behavior that should be relatively easy to detect and mitigate. By some accounts, it was arguably a poorly executed attack that did a mediocre job of accomplishing what appears to be its most important objective - extracting money from its victims.

While the market may be focusing less on perimeter security, enterprises can improve overall cybersecurity and save time by taking a few simple steps for their perimeter networks.

It’s not easy being a Chief Information Security Officer (CISO) these days. While the regular drumbeat of news of cyber attacks has meant that board members and the executive suite now actually know the name of their CISO, more attention and budget isn’t always a good thing. That’s because there isn’t always a consensus on where that money should be spent. Some cybersecurity market segments, like endpoint detection and response (EDR) technologies, have more than a dozen players all spending millions on sales and marketing. Many CISOs have stopped answering their phones for any caller they don’t recognize due to the onslaught of sales calls. While NIST and other standards organizations have done a fairly good job of defining the basic table stakes for cybersecurity, most large enterprises still struggle with thwarting attacks even with all the right boxes checked.

As I noted in my earlier blog post, there is growing concern about the cybersecurity risks with the Internet of Things (IoT), particularly their effects on third parties as the recent Mirai botnet attack demonstrated. At this year’s RSA Conference in San Francisco, IoT cybersecurity was one of the most discussed topics ranging from policy to the latest exploits. I was fortunate to serve on a panel discussing IoT and ransomware in front of a packed room. While hype is undoubtedly a factor, the massive interest certainly demonstrates the huge market forces at work that are still in their infancy. As Bruce Schneier noted in his RSAC talk, the social, economic, and safety implications of the Internet of Things means that government regulations are not far behind. In fact, Bruce even advocates for the establishment of a government agency to address it while acknowledging that he currently cannot provide the details for how such an agency would operate, what regulations would be needed, or how such regulations would be enforced.

With all the emphasis on cybersecurity frameworks over the last couple years, it probably shouldn’t surprise anyone that a lot of organizations find themselves working off checklists of cybersecurity controls that they assume will give them better security. What is often missed is that these controls need to work together as an integrated system. For thousands of years, we’ve understood this in the realm of physical security. From the most ancient castles, security was built to initially keep intruders from entering using some sort of barrier like a lock or a moat. However, castles were also built with high towers with sentries posted around the clock to see the enemy coming because we knew that simple barriers would never be enough for a determined adversary. Finally, armies were at the ready to repel invaders if the sentries determined that the barriers would not be sufficient. Even today for most basic security for our homes, we understand the difference between a basic control and a security system. If we asked a builder for a security system and his response was that there were locks on the doors, we wouldn’t be satisfied. Most of us know that when we say security system, it means a combination of controls working together. At minimum, we would expect locks, sensors on all exterior doors and first floor windows connected to a central panel with an audio alarm, and the ability to automatically notify a watch center operating at all times that could notify us and/or the police to respond.

Last month I spoke at a cybersecurity forum of public power utilities. Many were fairly small, and for the most part, were subjected to the provisions of the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards that many of their larger brethren have been struggling to comply with. Nonetheless, I was struck by how many were trying to “do the right thing” with respect to cybersecurity. Given their limited budgets, much of that commitment was centered on the efforts of their employees rather than the purchase of expensive technologies. But I was still heartened by that effort when many larger utilities seem to be checking the box. Some of that is an understandable exhaustion from multiple years of intensive scrutiny by NERC CIP auditors and their overseers at the Federal Energy Regulatory Commission (FERC). With the most recent deadline passing last April, it’s not surprising that some utilities may be taking a breather. At the very least, the urgency is less now despite some passing news. For a while we thought that the Russians were hacking Burlington Electric, but that story fizzled, notwithstanding the utility’s laudable efforts to alert the industry to a threat. Potentially more serious were Turkey’s claims that someone in the United States hacked their grid and caused an outage, but weather was the more likely culprit. Finally, it seems we had a sort of a repeat of December 2015's power grid outage in Ukraine; this one being investigated as a cyber attack in Kiev.

Healthcare payments will be soon become outcome-based; that’s been the message for 20 years. After all, paying for quality outcomes is an obvious step in our healthcare system's evolution. Until recently, it has been impossible to manage outcomes across the entire spectrum of healthcare settings. But the one thing shown by the 90s payment models is when technology and processes for managing care lacks financing, tremendous value destruction occurs.

It wasn’t supposed to be like this. Despite complaints about rising costs and byzantine bureaucracies, the healthcare industry is about helping people. With a significant portion being non-profit, the industry is hardly the epitome of wealth. There’s no doubt that the financial services industry is a much juicier target. And unlike defense contractors or the governments they serve, it’s hard to blame healthcare for the world’s conflicts. But like it or not, it has a target on its back. Like cigarettes in prison, healthcare records are perceived to have an almost mythical value with estimates going to fifty dollars or higher among those trafficking in illicit goods. And like prison cigarettes, that perceived value drives the market more than any actual return on investment. After all, successful identity theft is hardly a trivial exercise. It’s much easier to be a middle man.